| title | description | weight | doctypes | toc | docs | |
|---|---|---|---|---|---|---|
Installation with NGINX App Protect |
This document provides an overview of the steps required to use NGINX App Protect with your NGINX Ingress Controller deployment. |
1800 |
true |
DOCS-579 |
Note: The NGINX Kubernetes Ingress Controller integration with NGINX App Protect requires the use of NGINX Plus.
This document provides an overview of the steps required to use NGINX App Protect with your NGINX Ingress Controller deployment. You can visit the linked documents to find additional information and instructions.
You can also install the Ingress Controller with App Protect by using Helm. Use the controller.appprotect.* parameters of the chart.
Take the steps below to either configure a Docker Registry secret in your Kubernetes cluster, or to pull the Docker image that you'll use to deploy NGINX Ingress Controller with App Protect in Kubernetes.
-
Follow the steps to use the JWT token to create a docker registry secret.
-
Alternatively, follow the steps to Pull the NGINX Ingress Controller image.
For NGINX Plus Ingress Controller with App Protect, pull from
private-registry.nginx.com/nginx-ic-nap/nginx-plus-ingress:$ docker pull private-registry.nginx.com/nginx-ic-nap/nginx-plus-ingress:2.2.22.2.2will pull down the Debian based image. The other available image tag is2.2.2-ubifor the UBI based image. -
Use the docker registry API to list the available image tags for the repository.
To list the available image tags for the repository, you can use the Docker registry API, e.g.:
$ curl https://private-registry.nginx.com/v2/nginx-ic-nap/nginx-plus-ingress/tags/list --key <path-to-client.key> --cert <path-to-client.cert> | jq { "name": "nginx-ic-nap/nginx-plus-ingress", "tags": [ "2.2.2-ubi", "2.2.2" ] }
Take the steps below to create the Docker image that you'll use to deploy NGINX Ingress Controller with App Protect in Kubernetes.
-
Build the NGINX Ingress Controller image.
When running the
makecommand to build the image, be sure to use thedebian-image-nap-plustarget. For example:make debian-image-nap-plus PREFIX=<your Docker registry domain>/nginx-plus-ingress
Alternatively, if you want to run on an OpenShift cluster, you can use the
ubi-image-nap-plustarget.If you intend to use external references in NGINX App Protect policies, you may want to provide a custom CA certificate to authenticate with the hosting server. In order to do so, place the
*.crtfile in the build folder and uncomment the lines that follow this comment:#Uncomment the lines below if you want to install a custom CA certificateNote: In the event of a patch version of NGINX Plus being released, make sure to rebuild your image to get the latest version. The Dockerfile will use the latest available version of the Attack Signatures and Threat Campaigns packages at the time of build. If your system is caching the Docker layers and not updating the packages, add
DOCKER_BUILD_OPTIONS="--no-cache"to themakecommand.
Take the steps below to set up and deploy the NGINX Ingress Controller and App Protect module in your Kubernetes cluster.
-
Configure role-based access control (RBAC).
Important: You must have an admin role to configure RBAC in your Kubernetes cluster.
-
Enable the App Protect module by adding the
enable-app-protectcli argument to your Deployment or DaemonSet file.
For more information, see the Configuration guide and the NGINX Ingress Controller with App Protect examples on GitHub.